A member of the Securities and Exchange Commission (SEC) believes the agency should mull over whether to require public companies and investment advisers to perform the same kind of reporting, preparation, and planning for cyber incidents that the Financial Industry Regulatory Authority (FINRA) requires of registered broker-dealers.
Commissioner Elad Roisman outlined his thinking on the agency’s approach to cybersecurity regulatory issues in general in a speech Friday to the Los Angeles County Bar Association.
“The SEC has imposed specific obligations on particular registrants relating to certain cybersecurity risks,” he said. “But it’s undeniable that our registrants, who have more general obligations under the securities laws—such as to serve the best interests of clients or to shareholders—also are accountable for taking measures to prevent and mitigate damage from these threats as part of their broader responsibilities.”
He continued: “Accordingly, it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyberattacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches, and understanding when information must be reported outside the company and to whom.”
On the spectrum of rules-based versus principles-based rulemaking, Roisman, a Republican, comes down decidedly in favor of the latter, which affords regulated entities more flexibility in meeting certain requirements. Principles-based rulemaking was a mantra under former SEC Chair Jay Clayton, reflected in the development of rulemaking for Regulation Best Interest (Reg BI); modernizing and simplifying of corporate disclosures mandated by the Fixing America’s Surface Transportation (FAST) Act; and loosening of rules regarding proxy solicitation, among others.
The interests of retail investors, as well as small public companies with limited capacity for meeting onerous and time-consuming regulations, were always at the forefront of thinking.
But on the topic of how and when public companies should report cyber incidents, Roisman indicated he is in favor of ladling additional requirements about how to prepare for and defend against cyberattacks, as well as more vigorous reporting requirements for breaches and other cyberattacks.
“Given the increasing and inevitable reliance of advisers on technology in their businesses, it is time that the Commission bring more clarity to this issue in cases where there may be confusion about whether to notify the Commission and investors in the event of a cybersecurity breach,” he said. “Of course, any such obligation should be principles-based and allow advisers the flexibility to tailor notification measures to their business and the facts and circumstances of the situation. But, there should be some framework for reporting cyber incidents to clients and to the Commission, to the extent the adviser has identified them to be material.”
Cyber incident requirements for investment advisers
The SEC already requires investment advisers and broker-dealers to have policies and procedures in place to “address administrative, technical, and physical safeguards for the protection of customer records and information” under Regulation S-P. The rule also requires such policies and procedures be reasonably designed to protect customer information, against anticipated threats or hazards to its security or integrity and against unauthorized access.
The SEC and Commodity Futures Trading Commission added another layer of responsibility for broker-dealers, investment companies, and some registered investment advisers when they implemented the “Red Flags Rule” regarding identity theft in 2013.
More generally, the SEC requires investment advisers to “adopt and implement written compliance policies and procedures reasonably designed to prevent violations,” while the agency’s Division of Investment Management “has issued guidance over the years about how advisers should be thinking about cybersecurity concerns in the context of their fiduciary duties,” Roisman noted.
“Given the increasing and inevitable reliance of advisers on technology in their businesses, it is time that the Commission bring more clarity to this issue in cases where there may be confusion about whether to notify the Commission and investors in the event of a cybersecurity breach.”
SEC Commissioner Elad Roisman
Roisman then took things a step further when he cited rules FINRA has in place for broker-dealers as a framework for cybersecurity requirements for investment advisers, and perhaps, public companies. Examples cited included mandates for broker-dealers to implement policies and procedure for business continuity planning, as well as requirements to promptly report law violations.
Under the violations rule, FINRA expects its members “to report only conduct that has widespread or potential widespread impact to the member, its customers, or the markets or conduct that arises from a material failure of the member’s systems, policies, or practices involving numerous customers, multiple errors, or significant dollar amounts,” Roisman noted. FINRA encourages registered entities to report material cyber events even if they don’t meet the threshold outlined in the rule, he said.
Cyber incident reporting for public companies
As it stands, the SEC has only issued guidance, not rules, regarding the reporting of cyber events. Some firms will report such events to fulfill the disclosure benchmarks set forth in Regulation S-K and Regulation S-X, “which require public companies to make disclosure regarding, among other things, their business and operations, risk factors, management’s discussion and analysis, and disclosure controls and procedures,” Roisman said.
Other guidance issued by the SEC urges public companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion,” and to implement disclosure controls and procedures to identify such incidents and discern their potential impact. But again, reporting these cyber incidents to the SEC is not required so much as it is encouraged.
When cyberattacks affect a public company’s finances, such as when criminals trick employees into wiring them significant amounts of money in cyber-fraud schemes, the SEC will often take a hard look in postmortem analysis at internal accounting controls that should have warded off such attacks.
Roisman said he has not seen any draft rule but hopes if the SEC proposes one that it would define any new legal obligations for investment advisers and public companies clearly; avoid creating inconsistencies with requirements from sister regulatory agencies; and would take into consideration the limitations of smaller companies to comply.
After advocating for more structure around a new rule for preparing, planning for, and reporting cyber incidents, Roisman added a principles-based approach “would likely work best.”
“This is a large and complicated problem, and there is much work left to be done,” Roisman said. “However, I am happy that we are trying to bring greater clarity and hopefully will work hand-in-hand with the public and registrants to understand what can be done to ensure appropriate cyber readiness and protections for investors.”